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ICO consultation on the draft updated data sharing 
code of practice 


Data sharing brings important benefits to organisations and individuals, 
making our lives easier and helping to deliver efficient services. 


It is important, however, that organisations which share personal data 
have high data protection standards, sharing data in ways that are fair, 
transparent and accountable. We also want organisations to be confident 
when dealing with data sharing matters, so individuals can be confident 
their data has been shared securely and responsibly. 


As required by the Data Protection Act 2018, we are working on updating 
our data sharing code of practice, which was published in 2011. We are 
now seeking your views on the draft updated code. 


The draft updated code explains and advises on changes to data 
protection legislation where these changes are relevant to data sharing. It 
addresses many aspects of the new legislation including transparency, 
lawful bases for processing, the new accountability principle and the 
requirement to record processing activities. 


The draft updated code continues to provide practical guidance in relation 
to data sharing and promotes good practice in the sharing of personal 
data. It also seeks to allay common concerns around data sharing. 


As well as legislative changes, the code deals with technical and other 
developments that have had an impact on data sharing since the 
publication of the last code in 2011. 


Before drafting the code, the Information Commissioner launched a call 
for views in August 2018. You can view a summary of the responses and 
some of the individual responses here. 


If you wish to make any comments not covered by the questions in the 
Survey, or you have any general queries about the consultation, please 


email us at datasharingcode@ico.org.uk. 


Please send us your responses by Monday 9 September 2019. 


Privacy Statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
Capacity (e.g. a member of the public). All responses from organisations 
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and individuals responding in a professional capacity will be published. We 
will remove email addresses and telephone numbers from these 
responses; but apart from this, we will publish them in full. 


For more information about what we do with personal data please see our 
privacy notice. 


Questions 


Note: when commenting, please bear in mind that, on the whole, the 
code does not duplicate the content of existing guidance on particular 
data protection issues, but instead encourages the reader to refer to the 
most up to date guidance on the ICO website. 


Qi Does the updated code adequately explain and advise on the new 
aspects of data protection legislation which are relevant to data 
sharing? 


[| Yes 


K No 


Q2 If not, please specify where improvements could be made. 


The code is lengthy and technical which some smaller organisations 
may struggle to interpret. 


There is repetition throughout and duplication of information which is 
already available via existing guidance, for example the updated DPA 


Principles and ICO Enforcement. Suggest you could link to the 
information already available. 


The Summary section goes into a lot of the detail in the actual code and 
suggest this could be streamlined. 





Q3 Does the draft code cover the right issues about data sharing? 
[|] Yes 


K No 
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Q4 If no, what other issues would you like to be covered in it? 


The Title doesn’t specifically mention it only covers controller to 
controller, which could be misleading. 


Code should list the types of organisations it is aimed at, as it is very 
technical in parts. 





Q5 Does the draft code contain the right level of detail? 
[I Yes 


K No 


Q6__—siIf no, in what areas should there be more detail within the draft 
code? 


Lengthy and technical, should be able to link to information already 
available. Suggest it should be checked for plain language / English to 
make it easier to read/understand especially for smaller organisations. 


Although we understand that sharing is technically disclosure we would 
suggest to include a clear definition between data sharing and data 
disclosure. For example: 


e “sharing” - to mean reciprocal arrangements i.e. a back forth 
process to provide information e.g. within a multi-disciplinary 
team of different agencies or use of a joint database 

e “disclosure” — to mean a one-off provision of data e.g. where the 
police provided the “gangs dbase” to the LA, nothing comes back. 





Q7 Has the draft code sufficiently addressed new areas or 
developments in data protection that are having an impact on your 
organisation's data sharing practices? 


[| Yes 


K No 
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Q8__siIf no, please specify what areas are not being addressed, or not 
being addressed in enough detail 


Separation of sharing with data processors isn't necessary and that it 
would be beneficial to have all data sharing guidance in one place. 


Focusing on controller to controller (which is not explicit in the code 
title) could give the impression that sharing with processors is less 
important, for example with consideration of DPIAs. Appreciate the 
contract requirements are different but suggest that this isn't a big 
enough reason to separate them out as all other considerations, i.e. risk 
reviews still apply. 


More detail around scientific research would be useful. For example, it 
would be useful to highlight the pseudonymisation link/requirement. 
Highlighting pseudonymised data under the definition of personal data 
would have been useful, individuals confuse pseudonymised data with 
anonymised data, particularly with research. 





Q9 Does the draft code provide enough clarity on good practice in data 
sharing? 


[| Yes 


K No 


Q10 If no, please indicate the section(s) of the draft code which could be 
improved, and what can be done to make the section(s) clearer. 


Page 57 - Other Legal Requirements - missing examples or scenarios to 
assist organisations with understanding this section. 





Q11 Does the draft code strike the right balance between recognising 
the benefits of sharing data and the need to protect it? 


Yes 
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O No 


Q12 If no, in what way does the draft code fail to strike this balance? 


Q13 Does the draft code cover case studies or data sharing scenarios 
relevant to your organisation? 


Yes 


O No 


Q14 Please provide any further comments or suggestions you may have 
about the draft code. 


Page 4 - First bullet point, needs to clarify that the statutory 
requirement is for the ICO to produce the Code. The Code is then good 
practice for organisations to adopt to support compliance with DPA. 


Page 13 - Misconception (first box), this could be strengthened 
especially to account for public sector organisations and reflect the 
ICO’s existing guidance regarding consent. 


Page 13 - There is a fairly lengthy section on the ‘benefits of sharing’, 
which doesn’t necessarily promote compliance with data protection 


legislation. Could this be usefully covered in the foreword or form a 
separate briefing document that could be linked to the code? This would 
help streamline the code. 


Perhaps this could include reference to examples of solutions / 
initiatives to support effective sharing of personal data; e.g. the Wales 
Accord on the Sharing of Personal Data (WASPI), case studies produced 
by the Data Sharing Centre of Excellence in England (no longer a live 
service but case studies available on the website). 
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Page 26 - Suggest this section could be the checklist with links to the 
Supplement narrative as the information is already available. 


Appendix A - It was a shame this wasn't included, as due to the current 
length of the code, it would be beneficial to most organisations as the 
Starting point to understand what they need to do and when. 


More examples of public interest, particularly around police disclosures, 
would be useful. For example, the IGA guidance which includes a 
confidentiality vs importance of disclosing table is a very useful as a 
visual aid. 


Overall comments 
Useful document for experts, however very technical throughout which 
might put people off. 


Scenarios and examples were real life and help put elements of the 
code into everyday working practice. 


Thank you for allowing us the opportunity to comment and should you 
require any further clarification regarding our comments, please do not 
hesitate to contact us via IGMAG. 





Q15 To what extent do you agree that the draft code is clear and easy 
to understand? 


O Strongly agree 
[| Agree 
L 


Neither agree nor disagree 


Xl 


Disagree 


L 


Strongly disagree 
Q16 Are you answering as: 


L] An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the public) 


O An individual acting in a professional capacity 
O On behalf of an organisation 
Other 


Please specify the name of your organisation: 


information Commissioner's Office 


IG Professionals across NHS Organisations in Wales - as part of the 
Information Governance Management Advisory Group (IGMAG) 


Thank you for taking the time to share your views and experience. 


